Re-jigged the order of the tests in the default configuration so that

the tests for valid domains and recipients precede the DNS black list
and CSA tests, on the grounds that those ones are more expensive.

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 8ec3d886570d58e2051f37a89db1fc36b8527818..c3f20ab70cf94e7e3b4c4601e9eacdc92e460bd4 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.381 2006/07/27 10:13:52 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.382 2006/07/27 10:36:34 ph10 Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -131,6 +131,10 @@ PH/23 Made -oMaa and -oMt work with -bh and -bs to pretend the connection is
       values for $authenticated_id and $authenticated_sender (but permit -oMai
       and -oMas) when testing with -bh.
 
+PH/24 Re-jigged the order of the tests in the default configuration so that the
+      tests for valid domains and recipients precede the DNS black list and CSA
+      tests, on the grounds that those ones are more expensive.
+
 
 Exim version 4.62
 -----------------

diff --git a/src/src/configure.default b/src/src/configure.default
index 9ae20dae91aec973333f339751ab826e96e61201..3fb0ffa281002ebee7ce33a0875546716630f615 100644 (file)
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -1,4 +1,4 @@
-# $Cambridge: exim/src/src/configure.default,v 1.9 2006/07/07 13:54:32 ph10 Exp $
+# $Cambridge: exim/src/src/configure.default,v 1.10 2006/07/27 10:36:34 ph10 Exp $
 
 ######################################################################
 #                  Runtime configuration file for Exim               #
@@ -380,6 +380,21 @@ acl_check_rcpt:
   accept  authenticated = *
           control       = submission
 
+  # Insist that any other recipient address that we accept is either in one of
+  # our local domains, or is in a domain for which we explicitly allow
+  # relaying. Any other domain is rejected as being unacceptable for relaying.
+
+  require message = relay not permitted
+          domains = +local_domains : +relay_domains
+
+  # We also require all accepted addresses to be verifiable. This check will
+  # do local part verification for local domains, but only check the domain
+  # for remote domains. The only way to check local parts for the remote
+  # relay domains is to use a callout (add /callout), but please read the
+  # documentation about callouts before doing this.
+
+  require verify = recipient
+
   #############################################################################
   # There are no default checks on DNS black lists because the domains that
   # contain these lists are changing all the time. However, here are two
@@ -405,26 +420,10 @@ acl_check_rcpt:
   # require verify = csa
   #############################################################################
 
-  # Accept if the address is in a local domain, but only if the recipient can
-  # be verified. Otherwise deny. The "endpass" line is the border between
-  # passing on to the next ACL statement (if tests above it fail) or denying
-  # access (if tests below it fail).
-
-  accept  domains       = +local_domains
-          endpass
-          verify        = recipient
+  # At this point, the address has passed all the checks that have been
+  # configured, so we accept it unconditionally.
 
-  # Accept if the address is in a domain for which we are an incoming relay,
-  # but again, only if the recipient can be verified.
-
-  accept  domains       = +relay_to_domains
-          endpass
-          verify        = recipient
-
-  # Reaching the end of the ACL causes a "deny", but we might as well give
-  # an explicit message.
-
-  deny    message       = relay not permitted
+  accept
 
 
 # This ACL is used after the contents of a message have been received. This